Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support reading PCAP files that are still being written to #2723

Closed
awick opened this issue Mar 27, 2024 · 1 comment
Closed

Support reading PCAP files that are still being written to #2723

awick opened this issue Mar 27, 2024 · 1 comment
Assignees
Milestone

Comments

@awick
Copy link
Contributor

awick commented Mar 27, 2024

Support a new command line option that tells capture to process pcap files that are still open for writing. This will be useful with suricata 7 and other tools that write out large pcaps we want to process as they are being written to.

This will probably require scheme mode so we have direct access, which means we need to add monitor mode to scheme. Then when the file is closed move to the next file?

I'm not sure this is even possible

@awick awick self-assigned this Apr 2, 2024
@awick awick added this to the 5.3 milestone Apr 2, 2024
@awick
Copy link
Contributor Author

awick commented Jun 17, 2024

I couldn't figure out how to do this. You could do a tail -f type feature, but you could already do that with cat pcap | capture -r -

@awick awick closed this as completed Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
Development

No branches or pull requests

1 participant